Analysis
-
max time kernel
123s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
19-05-2024 10:30
General
-
Target
5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e.exe
-
Size
176KB
-
MD5
0e8acf4f2931765ede72461518632120
-
SHA1
f5d5c4b54584014c1c5d6c8b7f936e286b2d86b1
-
SHA256
5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e
-
SHA512
99e8819ae3ef4a27de5a1faab97407e90f4a2f67b9ab5228a3c79dd6e6fb2ab0bc0041e77134f3fe6820557d1c063378227bbc47d09433fa0bb5a28bf43ae8a3
-
SSDEEP
3072:kVJvcLqR7QAJJ+JwBVWWvMaRDr0td4LVXA:ZLq1nvRDr+d4JA
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e.exe"C:\Users\Admin\AppData\Local\Temp\5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\WINDOWS\system\Fun.exeC:\WINDOWS\system\Fun.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SVIQ.EXEC:\WINDOWS\SVIQ.EXE4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\dc.exeC:\WINDOWS\dc.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SVIQ.EXEFilesize
176KB
MD50e8acf4f2931765ede72461518632120
SHA1f5d5c4b54584014c1c5d6c8b7f936e286b2d86b1
SHA2565fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e
SHA51299e8819ae3ef4a27de5a1faab97407e90f4a2f67b9ab5228a3c79dd6e6fb2ab0bc0041e77134f3fe6820557d1c063378227bbc47d09433fa0bb5a28bf43ae8a3
-
F:\psmfr.exeFilesize
100KB
MD5c57b2f70d5007e9a723c78fc96f471b9
SHA1d0c969894688544fe217d5234a7872925dd98503
SHA25695126861e1d98612ff1ae5c086fca06f13b937b637be9e2fab50bc8e97faf40e
SHA51228d1c51bab50bd5efab1b02511f9ca8e063ee17ad4b3de4b5917a4c6c1da2108b10853bbbe6a2d8c10b67f4f16a2144316accd034c05ba791e158513bad65fa7
-
memory/1124-22-0x0000000001F10000-0x0000000001F12000-memory.dmpFilesize
8KB
-
memory/1988-46-0x0000000005C60000-0x0000000005C8D000-memory.dmpFilesize
180KB
-
memory/1988-20-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1988-34-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-82-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-36-0x0000000003880000-0x0000000003882000-memory.dmpFilesize
8KB
-
memory/1988-35-0x0000000003880000-0x0000000003882000-memory.dmpFilesize
8KB
-
memory/1988-33-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/1988-31-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/1988-30-0x0000000003880000-0x0000000003882000-memory.dmpFilesize
8KB
-
memory/1988-9-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-6-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-19-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-11-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-8-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-83-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-2-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-129-0x0000000003880000-0x0000000003882000-memory.dmpFilesize
8KB
-
memory/1988-75-0x0000000005C60000-0x0000000005C8D000-memory.dmpFilesize
180KB
-
memory/1988-81-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-122-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-121-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-120-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-47-0x0000000005C60000-0x0000000005C8D000-memory.dmpFilesize
180KB
-
memory/1988-21-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-18-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-5-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-85-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-86-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-88-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-90-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-91-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/1988-93-0x0000000002660000-0x00000000036EE000-memory.dmpFilesize
16.6MB
-
memory/2512-77-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2512-115-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/2512-168-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/2512-118-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/2512-114-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/2588-64-0x0000000001BD0000-0x0000000001BFD000-memory.dmpFilesize
180KB
-
memory/2588-65-0x0000000001BD0000-0x0000000001BFD000-memory.dmpFilesize
180KB
-
memory/2588-102-0x0000000001C50000-0x0000000001C51000-memory.dmpFilesize
4KB
-
memory/2588-106-0x0000000001C40000-0x0000000001C42000-memory.dmpFilesize
8KB
-
memory/2588-48-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2588-116-0x0000000001C40000-0x0000000001C42000-memory.dmpFilesize
8KB
-
memory/2588-166-0x0000000001C40000-0x0000000001C42000-memory.dmpFilesize
8KB
-
memory/2728-109-0x0000000000540000-0x0000000000542000-memory.dmpFilesize
8KB
-
memory/2728-66-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2728-117-0x0000000000540000-0x0000000000542000-memory.dmpFilesize
8KB
-
memory/2728-167-0x0000000000540000-0x0000000000542000-memory.dmpFilesize
8KB
-
memory/2728-107-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB